Watering Hole Attacks: Protecting Yourself from the Latest Craze in Cyber Attacks Arrow to Content

September 23, 2013 | 1 Comment

Author: Harold Byun, Skyhigh Networks
Cyber criminals are clever and know how to evolve – you’ve got to give them that. They’ve proven this once again with their latest cyber attack strategy, the Watering Hole Attack, which leverages cloud services to help gain access to even the most secure and sophisticated enterprises and government agencies.
Attacks Used to be Humorously Simple

In earlier days, attackers operated more simply using emails entitled “ILOVEYOU” or poorly worded messages from Nigerian generals promising untold fortunes of wealth. Over the years, the attacks have evolved into complex spear phishing operations that target specific individuals who can help navigate an organization’s personnel hierarchy or identify digital certificate compromises that lead to command and control over the enterprise infrastructure. In either scenario, the success of the attacks has always been predicated on the fact that users are humans who will occasionally click on or open something that is suspect or compromised.
Now the Bad Guys are getting Smart

More recently, a new, more sophisticated, type of attack is hitting the enterprise. The concept behind the watering hole attack is that in order to insert malware into a company, you must stalk an individual or group and place malware on a site that they trust (a “watering hole”), as opposed to in an email that will be quickly discarded.

Identifying the “Watering Hole”

Inserting malware into a frequently visited site sounds like a great plan, but how do attackers find the right sites? It’s pretty tough to get malware onto the major sites that most people visit like cnn.com or espn.com, so attackers need to know which smaller, less-secure sites (i.e. watering holes) are frequented by employees of the targeted company.

But, how can an attacker know what watering holes users frequents most often? How can an attacker find what watering holes an entire organization or company frequents and how often? And how can they capture this information without anyone clicking anything? The answer…
Tracking Services

Users unknowingly provide all of this information simply by surfing the internet as they normally do. When a user surfs the internet from their company today, automated tracking methods used by marketing and ad tracking services identify traffic patterns and accesses.  These tracking services silently capture all this information without users ever being aware their actions online are being followed.

This would seem to be harmless information (aside from the irritatingly persistent retargeting ads you must endure), but the tracking services are essentially mapping the behavioral web patterns of your entire organization. This shows which sites employees frequent, and this information also allows attackers to deduce your company’s browsing and cloud services access policies. In other words, it tells an attacker which watering holes you let your users visit.

Planting the Trap

This gives the adversary a map of the sites to target for infiltration. They target the most vulnerable sites, smaller companies or blogs that don’t have strict security. They plant malicious code on the watering hole site. Once the trap is laid, they simply wait for users to visit the sites they have frequented in the past.

The probability of success is significantly higher for watering hole attacks since the attacker has used the tracking service’s data to confirm that traffic to the site is both allowed and frequent. When a user visits the site, the malicious code redirects the user’s browser to a malicious site so the user’s machine can be assessed for vulnerabilities. The trap is sprung.
Malware Phone Home

Once the user steps in the trap by visiting the watering hole they are assessed for vulnerabilities. Using drive-by downloading techniques, attackers don’t need users to click or download any files to their computer. A small piece of code is downloaded automatically in the background. When it runs, it scans for zero-day vulnerabilities (software exploits discovered by the most sophisticated cyber criminals that are unknown to the software companies) or recently discovered exploits that users have not yet patched in Java, Adobe Reader, Flash, and Internet Explorer (that software update from Adobe may be important, after all).

The user’s computer is assessed for the right set of vulnerabilities and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user’s access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they’ve gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening.

The Consumerization of IT, BYOC, and the (New) Role of IT Arrow to Content

September 11, 2013 | Leave a Comment

Nicholas G Carr

9 September 2013

Author: Brandon Cook

It has been a decade since Nicolas Carr published his controversial essay “IT Doesn’t Matter” in the Harvard Business Review. Back then, he claimed that companies weren’t really getting a competitive advantage from the technology advances – the bits and bytes – of hardware and software. Carr argued that IT infrastructure was becoming commoditized, and it was the business strategies using that technology rather than the technology itself that would give companies their competitive advantages.

Ten years later, Carr’s ideas really have become a reality. Now we are in the era of the consumerization of IT and Bring Your Own Cloud (BYOC), where individual workers and business departments rent hardware and software—the virtual machines, the applications, the storage capacity, the big data processing capacity, and so on. Often, they make these choices without IT’s knowledge or approval.

This shift from “own the infrastructure” to “rent the applications” leads to the next question: What is the role of the IT department now? If we no longer need this group to select, install and maintain the latest model server, do they still play a strategic role in the enteprise?

I’d like to share a real-world story that demonstrates that IT departments do have an important and significant role in the BYOC era. Not only does IT have the critical responsibility for protecting corporate data as it moves to the cloud and from the cloud, but this group also makes certain that the right cloud services are being used, in the right way (meeting company policies) and in a productive and cost-efficient manner.

Leveraging Skyhigh, one Fortune 100 company’s IT department gained visibility into the use of public cloud storage services by the company. On average, a company uses 19 different cloud storage services and this particular company was no different. Of course some services are more popular than others with workers, and the company ranked its top 5 cloud storage services by number of users:

  1. Dropbox
  2. Google Drive
  3. SkyDrive
  4. SugarSync
  5. Box

With 19 different services in use, how can employees effectively collaborate and share their work? The IT team polled employees and found they were struggling with managing multiple file sharing services and would prefer having one corporate standard.

Skyhigh analysis of their cloud storage use gave them necessary insight to understand which services were actively being used, by how many users, how frequently, for how much data and which ones people had signed up for but used less often.   The usage ranking was:

  1. Box
  2. SugarSync
  3. Dropbox
  4. Google Drive
  5. SkyDrive

The data revealed that Box was used most often. And Skyhigh’sCloudRegistry showed that Box was also the lowest risk service. Armed with this data, IT negotiated a corporate-wide deal with Box and set this as the company standard for public cloud storage services. An IT manager at the company told me, “By leveraging Skyhigh data, we are able to look through the landscape of file sharing services and understand employee usage. This presents a clearer and accurate picture, giving us a better context for decision-making that supports our employees.”

If you’d like to take a look at the file sharing services in use at your organization to understand the risk profile for each service and the usage beyond “user count”, schedule a free file sharing cloud assessment with Skyhigh(note: assessment results returned in 12 – 24hrs.).

And…if you attend Boxworks next week, make sure to ask Nicolas Carr, who’s speaking at the event, for his take on the role of IT in the BYOC era.

 

Beyond Encryption: The 5 Pillars of Cloud Data Security Arrow to Content

September 3, 2013 | Leave a Comment

Author: Kamal Shah, Skyhigh Networks
Given the recent influx of cyber-security attacks and the hubbub about the National Security Agency’s PRISM program, there is lot of talk about the importance of encryption to protect corporate data in the cloud. (PRISM is a clandestine data mining operation authorized by the U.S. government in which data stored or passing over the Internet can be collected without the owner’s knowledge or consent.)

While it’s true that encryption helps to keep data private, encryption is just 1 of 5 capabilities needed to completely secure corporate data in the cloud. Allow me to use an analogy in the physical world to explain what I mean.

Banks are an ideal example of the use of layers of security to protect important assets. A bank branch has a vault in which it stores cash and other valuables. Having a vault is essential, but on its own it’s not enough to fully protect the riches within.

The bank also has policies to guide who can access the vault; what identification methods are required to verify that an employee or customer has the right to access the vault; the hours when the vault can be legitimately accessed; and so on.

The bank also needs surveillance cameras so that in event of a breach, the authorities can play back the recording to understand exactly what happened, and when. Stationed near the vault, the bank has a security guard for additional protection against threats and to deter thieves. And finally, the bank employs armored vans to move cash around from the bank to stores, to off-premise ATMs, and to other banks.

Similarly, when we talk about protecting corporate data in the cloud, you need more than just a point encryption solution; you need comprehensive approach to cloud data security.

Let’s start with encryption—a technology that has been around for decades but is now more important than ever as threats from all angles are increasing. The encryption solution you use on your data needs to be standards-based and it must support both structured and unstructured data. For structured data, the encryption technology must not break any application functionality (such as searching or sorting). This latter requirement is quite important; if you can’t search on data in comments field in Salesforce.com because it is obscured through encryption, you’ve defeated the value of using the application.

So encryption is 1 of 5 critical security capabilities. What are the other 4?

You need contextual access control so you can ensure secure access to the data based on who the users are, what devices they are using, and what geographic locations they are in.

You need application auditing so you can identify who has accessed which data and alert based on anomalous use. This is critical as most SaaS applications don’t provide audit trail of “read” operations to understand what exactly happened when an incident occurred.

You need data loss prevention to make sure that PII and PHI data is not moving to or through the cloud in the clear in violation of PCI, HIPAA and HITECH regulations.

And finally, you need the ability to easily but consistently enforce these policies for cloud-to-cloud use cases.

This last need is an up-and-coming requirement that companies are just beginning to realize, but it will grow more important as companies use more cloud-based applications. Let me give you an example.

Let’s say a company uses Jive for business social and Box for cloud storage of documents posted in Jive. When Jason, an employee in my Sales department, posts a blog post on a competitor with a detailed attachment, Jive automatically stores the document in Box. In this cloud-to-cloud scenario, I need to make sure that my security, compliance and governance policies are consistently enforced across both, Jive and Box.

Encryption as a means of data security is a good start, but not sufficient. Make sure you bolster it with the other critical security capabilities for a more complete cloud data security strategy. To learn more check out our Beyond Encryption Slideshare.

 

Page Dividing Line